The engineer of change

When Moses came down from the mountain, he carried just ten commandments for the guidance of mankind, but information security is a bit more complicated – we need eleven.

Published this month by the Jericho Forum, the list is the latest milestone for the group founded two years ago. Its mission: to sound a warning bell about flawed corporate security implementation.

Its argument was that in a world where firms need to collaborate and exchange data, and mobile working is growing fast, the old style of hard-perimeter security was just not up to the task. What we needed could be summed up in one, big mouthful of a word – deperimeterisation.

The commandments aim to outline in broad terms the basic tenets of good security in a deperimeterised world. Their author is Nick Bleech, who for the past year has also been in charge of information security for Rolls-Royce.

"Jericho has been open for business for a year, and we've had plenty of feedback – some good, some bad," he says. "But everyone agrees this is a business problem that is hitting a lot of organisations. Some say that a lot of what we are proposing is old wine in new bottles, we accept that. And we have some genuine work to do, to get the technical community and the suppliers involved, so their products can operate in our style of open networks."

The group's ideas have obviously sparked controversy in some quarters. "Users were reading last year that the Forum was suggesting they throw away their firewalls and just use strong crypto, and they thought that was baloney. It implied that what seemed to be working in securing their networks was in some sense wrong. But the feedback convinced us that deperimeterisation is about a problem that needs solving. It is not about strategy, and it is not optional."

People now want to see some details, and the commandments are a first step of expressing the broad principles in terms the business stakeholders can understand. "They look simple, but they took a lot of thought and they pull together the broad principles of what is needed," says Bleech.

"We wanted some sort of statement that could be readily communicated to senior stakeholders. They're wide-ranging statements, but there's another level of detail below them we are now publishing. The whole point is that everything we do ends up in the public domain."

That next level of detail will be a series of two-page summaries tackling problems covered by the commandments. Bleech expects between six and 12 of these to be available at the Jericho annual meeting taking place in London later this month.

"The idea is to crystallise what we see as the problems, and suggest a way forward," he says. "We'll identify more issues over the year, do more two-pagers, build that up into the level of detail that goes under the commandments, and support the decision-making we expect corporates to go through when purchasing."

The third commandment is an especially concise summary of a very big problem. "Before deperimeterisation, you assumed your system would work in the context of a secure organisation. I'd send usernames and passwords in the clear over the network with no problem," he says. So one of the upcoming supporting papers will show how existing network protocols map out for both security and openness.

"Many protocols have been designed with some sort of context in mind, usually a vendor's environment. So when you try to bridge them into environments they weren't designed to operate in, you have the classic example of assuming context at your peril, and the security breaks down."

He recalls the time when people tried to get Windows NT authentication to work in more hostile networks. "They found some of the weaknesses in Microsoft's implementation, which meant you could easily crack the passwords. It turned out Microsoft was making some simple assumptions about the security context."

Another three of the commandments deal with the concept of trust, which is clearly also crucial in a networked world. But what does Nick understand by the term? "We use the term trust because you need something a CIO or CFO can understand. There is no such thing as secure or insecure, you need to put it on a sliding scale that corresponds to levels of risk and trust," he says.

"We're not trying to gloss over the issue. Security has come down to: what's your policy? The answer is how you respond to the risks with the various types of controls that you need. If there is a policy defined between the two parties and is it being fulfilled, there is a level of trust.

Since he joined Rolls-Royce, he has seen deperimeterisation in action, and has had to react to the demands of the business. "Rolls-Royce has a huge supply chain. It is also a collaborative business, working very closely with customers and development partners. So we don't regard deperimeterisation as a strategy; we see it as a reality. I constantly receive external link requests to connect us up to other people's networks, and vice versa."

That drove a debate on how much they could still rely on the onionskin model – a network of concentric zones with the crown jewels in the middle. "The decision was that it was no longer tenable," he says. "In a year, I have seen increasing use of the deperimeterisation word in the scenarios we have to accommodate in our future strategy and system design."

But Jericho is not going to try and come up with all the answers itself. Bleech sees it more as a rallying point for the good work already carried out by standards bodies and developers around the world.

For instance, Rolls-Royce is making use of SAML 2 (Security Assertion Markup Language 2) to support the federated ID model it needs to provide seamless networking between its trusted business partners. Bleech is also urging software developers to adopt XACML (Extensible Access Control Markup Language), to provide a policy language that will allow administrators to define access control requirements for their applications.

So far, only a few software firms have implemented it, even though, as he says, the aerospace industry is interested in using it to help manage policies and trust.

He also pays tribute to the work of developers in creating security design patterns, basic templates, or recipes for tackling different security problems. "The good thing about security design patterns is they are reusable concepts you can use to make sure your systems are secure.

"For example, a lot of work has been done in the Microsoft development community, Java, open source and some security special interest groups on these design patterns. The idea is that, faced with common problems and constraints, a system designer can look up a pattern that will tell him how to solve it.

"In the Jericho Forum, we are trying to draw a lot of this stuff up to a pretty high level for articulation to the business stakeholders. Our goal is to highlight some of the ideas in the security design pattern community. They are not just about designing one piece of software, they are fundamental laws that should be followed when you put together enterprise-wide security architectures."

It's a battle to get interoperable systems and stop vendors introducing proprietary protocols, he says. "Why haven't we been able to join together all our corporate infrastructures and networks over the past 20 years? We've gone through various generations, from DCE, to CORBA to web services, via Kerberos, but many of the protocols and technology have not really been able to encompass the business requirements. It's been a long and painful process trying to open that up.

"We've made a lot of progress, and at Rolls-Royce we want to pull that through with the software we actually buy."

That final point is crucial. Jericho represents a growing group of large corporations with big budgets to spend. The vendors who have been allowed to join (although not vote) have the chance to see at close quarters what the business requirements are, and, if they listen, plan their products accordingly.

This stuff is not just for large enterprises, and the commandments are not just about technology. Secure systems must be configured and run properly to be really secure, which is why the number grew from 10 to 11 at a late stage. The late arrival is number 10, covering the segregation of duties, and should be noted by anyone outsourcing.

"We've plenty of examples where firms have several organisations in the mix, some of them offshore," says Bleech. "They think they can regulate it with strong contracts or by throwing lawyers at the problem. But their networking system administrators – out of sight and out of mind by several tiers – might have privileged access to services and databases with personal data and the corporate crown jewels. This is a prime example of why they need segregation of duties, so a remote network administrator can't bring down the entire organisation."

The Jericho Forum annual conference, hosted by SC Magazine, is on 25 April at the Grosvenor House Hotel. For details, visit www.jerichoforum.org.